Component Inventory
Spectorn is organized around the production API gateway first, with protection, memory, SOC, and dashboard capabilities layered around it.
spectorn-server
Role: OpenAI-compatible API gateway and control plane.
| Attribute | Value |
|---|---|
| Language | Rust |
| Interfaces | /v1/chat/completions, /v1/scan, dashboard/admin APIs, Stripe webhook |
| Key state | API keys, tenant policy, providers, model routes, sessions, usage, billing |
Key capabilities:
- Tenant-scoped API keys and role/session handling.
- Provider routing with BYOK and hosted-provider fallback.
- Prompt scanning before model forwarding.
- Recalled-memory scanning before prompt injection.
- Non-streaming and SSE output scanning.
- SSRF-resistant upstream base URL validation.
- Production readiness checks for secrets, CORS, memory, audit, and process-local topology.
Files: spectorn-server/src/
sentinel-core
Role: Detection engine library used by the gateway and SOC paths.
| Attribute | Value |
|---|---|
| Language | Rust |
| Interfaces | PyO3 registry path and native/FFI path |
| Exact engine count | Treat as implementation metadata; verify from bindings.rs and all_engine_names() |
Key capabilities:
- Pattern and heuristic analysis for prompt injection, jailbreak, exfiltration, moderation, tool abuse, and related categories.
- Raw obfuscation analysis plus decode-and-rescan paths, including ROT13 parity on native/FFI.
- Sentinel Lattice-inspired runtime heuristics. Formal/state-enumeration routines are not claimed as production LTL proof unless a runtime path and tests explicitly say so.
- ML/semantic/anomaly signals where enabled by build/runtime configuration.
Files: sentinel-core/src/engines/, sentinel-core/src/bindings.rs
gomcp
Role: SOC pipeline, MCP server, memory backend, and experimental runtime guard host.
| Attribute | Value |
|---|---|
| Language | Go |
| Build | Zero-CGO default |
| Main areas | SOC API, MCP tools, memory, cmd/immune |
Key capabilities:
- SOC event ingestion, correlation, and audit trails.
- Memory/fact storage used by the gateway memory layer.
- MCP tool surface.
- Experimental immune/runtime guard implementation under
gomcp/cmd/immune.
Files: gomcp/cmd/, gomcp/internal/
shield
Role: DMZ/protocol-validation component.
| Attribute | Value |
|---|---|
| Language | C11 |
| Focus | Protocol validation, rate limiting, anti-DoS, CLI/RBAC hardening |
Files: shield/
dashboard
Role: User cabinet, admin/operator UI, and SOC visibility surface.
| Attribute | Value |
|---|---|
| Framework | Next.js / React |
| Focus | Customer onboarding, API keys, providers/models, billing, security visibility, admin operations |
Files: dashboard/
Universal Sidecar
Role: Sensor adapter that can send external logs/events into the SOC path.
Files: sentinel-sidecar/ if present in the deployment tree.
Communication Matrix
| From > To | Protocol | Purpose |
|---|---|---|
| Client > spectorn-server | HTTPS JSON/SSE | API gateway traffic |
| spectorn-server > sentinel-core | in-process Rust/PyO3/native | Input/output analysis |
| spectorn-server > upstream provider | HTTPS JSON/SSE | OpenAI-compatible model calls |
| spectorn-server > gomcp | process/API integration where configured | Memory and SOC integration |
| gomcp > dashboard | HTTP/SSE where configured | Operator/user visibility |
Technology Choices
| Decision | Choice | Rationale |
|---|---|---|
| API gateway | Rust | Fail-closed security path, async HTTP, strong typing |
| Detection engines | Rust | Memory safety and fast text analysis |
| SOC/memory | Go | Static binaries and concurrency |
| DMZ component | C11 | Low-level protocol/security work |
| Dashboard | Next.js | Product UI and admin workflows |
Honesty Rules
- Do not publish engine counts as customer guarantees unless the count is generated from the current build.
- Do not publish per-layer detection percentages unless they come from a named benchmark corpus and harness.
- Do not describe
immuneas production kernel/eBPF enforcement until that path exists, is wired, and has deployment evidence.